Hi folks, I’m definitely on the mend and have most blog posts for the next week already drafted. I was going to post tonight about the ICO and their final decision about Baby’s Days / Sys IQ acting illegally and beyond the scope of the Data Protection Act; but I decided to post something more important, especially if you are a current Baby’s Days user.
Last night I received a blog comment from a parent of a child who is on a Baby’s Days subscription owned by a nursery. The parent is a web developer and wanted to write a script so that photos from the diary would automatically download to his home computer when he ran a programme.
The parent quickly found he was able to access not only his child’s photos but also all of the other children’s photos on the system and also photographs of parents signatures!
From my limited understanding of this, this is because of the way the code is set up. If you look at the code (which most parents wouldn’t, but they are perfectly entitled to) it provides a “path” if you like, direct to data. Each parents path should lead them only to their child. But in this case Baby’s Days had decided to basically remove the “fence” around the paths so that parents could access any path and whatever photos they wanted.
I know most parents provide permission for all parents to see their childs photos so this might not be a big deal to some (!!!) but also you have to remember parents access Baby’s Days on their phones. If that phone is lost anyone picking it up would have access to the over 100,000 images this nursery has saved. Also I’m pretty confident parents wouldn’t feel comfortable with anyone being able to save and copy their electronic signature? Also you have to ask if this could happen with photos could it happen with medical forms or concerns forms? Would a child be placed in danger by a parent accidentally coming across a “concern” form for example? These are very important questions that anyone using Baby’s Days really needs to be asking themselves.
The parent contacted Baby’s Days and they were their usually sunny selves and seemed rather blasé about it. They even said they would put the “fence” back for now so the paths only led to parents children, but they would take the fence down at a later date when they needed to talk to the nursery again?!
I’ve been planning a post for a while now about data security and the fact that Baby’s Days is designed more around security by obscurity, not by design. Sadly what this parent has discovered is just the tip of the iceberg and as soon as I have more info I will of course be posting it here.
In the meantime if you are still using Baby’s Days please back up your data and think about what sorts of data you are storing there and what it could mean for the children in your care if it fell into the wrong hands.